#11393: SEGV on libavcodec/jpeg2000dec.c:1491:59
---------------------------------+--------------------------------------
Reporter: 0x20z | Type: defect
Status: new | Priority: important
Component: avcodec | Version: git-master
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
---------------------------------+--------------------------------------
Summary of the bug:
Dear developers,
I have discovered a Segmentation Fault vulnerability. The POC file is
attached to the session, and the version of ffmpeg is
N-118197-gbb85423142, the main branch. Please confirm.
How to reproduce:
{{{
git clone https://github.com/FFmpeg/FFmpeg.git
cd FFmpeg
./configure --cc=clang --cxx=clang++ --toolchain=clang-asan --extra-
cflags="-I$HOME/ffmpeg_build/include -O0 -fno-omit-frame-pointer -g"
--extra-cxxflags="-O0 -fno-omit-frame-pointer -g" --extra-
ldflags="-L$HOME/ffmpeg_build/include -fsanitize=address
-fsanitize=undefined -lubsan" --disable-optimizations --disable-stripping
--enable-cross-compile
make -j30
./ffmpeg -y -i poc tmp.mp4
}}}
ASAN log:
{{{
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4155776==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x5c833916beed bp 0x707b21dfe040 sp 0x707b21dfd150 T1)
==4155776==The signal is caused by a READ memory access.
==4155776==Hint: address points to the zero page.
#0 0x5c833916beed in jpeg2000_decode_packet
FFmpeg/libavcodec/jpeg2000dec.c:1491:59
#1 0x5c83391635ae in jpeg2000_decode_packets_po_iteration
FFmpeg/libavcodec/jpeg2000dec.c:1595:40
#2 0x5c8339162ae6 in jpeg2000_decode_packets
FFmpeg/libavcodec/jpeg2000dec.c:1856:15
#3 0x5c833914e32b in jpeg2000_read_bitstream_packets
FFmpeg/libavcodec/jpeg2000dec.c:2651:20
#4 0x5c8339143d46 in jpeg2000_decode_frame
FFmpeg/libavcodec/jpeg2000dec.c:2880:15
#5 0x5c8338ac27f5 in decode_simple_internal
FFmpeg/libavcodec/decode.c:443:16
#6 0x5c8338ab04f4 in decode_simple_receive_frame
FFmpeg/libavcodec/decode.c:613:15
#7 0x5c8338aadd59 in ff_decode_receive_frame_internal
FFmpeg/libavcodec/decode.c:649:15
#8 0x5c83396b21ff in frame_worker_thread
FFmpeg/libavcodec/pthread_frame.c:295:19
#9 0x707b24694ac2 in start_thread nptl/./nptl/pthread_create.c:442:8
#10 0x707b2472684f misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV FFmpeg/libavcodec/jpeg2000dec.c:1491:59 in
jpeg2000_decode_packet
Thread T1 (av:jpeg200:df0) created by T0 here:
#0 0x5c8336dd625c in __interceptor_pthread_create
(FFmpeg/ffmpeg+0x7b725c) (BuildId:
e9074a31dadd6ca9f015fa496c6951e0bb7210b0)
#1 0x5c83396afe91 in init_thread
FFmpeg/libavcodec/pthread_frame.c:913:11
#2 0x5c83396aeb2f in ff_frame_thread_init
FFmpeg/libavcodec/pthread_frame.c:972:15
#3 0x5c83396a7678 in ff_thread_init /FFmpeg/libavcodec/pthread.c:79:16
#4 0x5c833868ebbd in avcodec_open2 FFmpeg/libavcodec/avcodec.c:323:15
#5 0x5c8336e2aed4 in dec_open FFmpeg/fftools/ffmpeg_dec.c:1602:16
#6 0x5c8336e2915b in dec_init FFmpeg/fftools/ffmpeg_dec.c:1662:11
#7 0x5c8336e3e474 in ist_use FFmpeg/fftools/ffmpeg_demux.c:950:15
#8 0x5c8336e3f272 in ist_filter_add
FFmpeg/fftools/ffmpeg_demux.c:986:11
#9 0x5c8336e6d919 in ifilter_bind_ist
FFmpeg/fftools/ffmpeg_filter.c:690:11
#10 0x5c8336e6ceeb in fg_create_simple
FFmpeg/fftools/ffmpeg_filter.c:1230:11
#11 0x5c8336eb21ff in ost_bind_filter
FFmpeg/fftools/ffmpeg_mux_init.c:999:15
#12 0x5c8336ea67ad in ost_add FFmpeg/fftools/ffmpeg_mux_init.c:1536:15
#13 0x5c8336ea09be in map_auto_video
FFmpeg/fftools/ffmpeg_mux_init.c:1640:16
#14 0x5c8336e99724 in create_streams
FFmpeg/fftools/ffmpeg_mux_init.c:1969:19
#15 0x5c8336e97b55 in of_open FFmpeg/fftools/ffmpeg_mux_init.c:3335:11
#16 0x5c8336ec4512 in open_files FFmpeg/fftools/ffmpeg_opt.c:1363:15
#17 0x5c8336ec3e38 in ffmpeg_parse_options
FFmpeg/fftools/ffmpeg_opt.c:1419:11
#18 0x5c8336f0cfad in main FFmpeg/fftools/ffmpeg.c:974:11
#19 0x707b24629d8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
==4155776==ABORTING
}}}
ffmpeg version:
{{{
# ./ffmpeg -version
ffmpeg version N-118197-gbb85423142 Copyright (c) 2000-2024 the FFmpeg
developers
built with Ubuntu clang version 14.0.0-1ubuntu1.1
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug
--toolchain=clang-asan --enable-cross-compile
libavutil 59. 53.100 / 59. 53.100
libavcodec 61. 28.100 / 61. 28.100
libavformat 61. 9.102 / 61. 9.102
libavdevice 61. 4.100 / 61. 4.100
libavfilter 10. 6.101 / 10. 6.101
libswscale 8. 13.100 / 8. 13.100
libswresample 5. 4.100 / 5. 4.100
}}}
Found by:
{{{
Found by 0x20z
}}}
Thank you for your time and attention
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11393>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
_______________________________________________
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac
To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".
